Furthermore, this operation would have had another positive side effect for the attacker: the investigators wouldn´t have been able to generate more than a small subset of billing addresses (one for each detonation in the sample) and the task of measuring the total number of infections would be more complex. The options in order to achieve this would have been to track and try to analyse some known email addresses, once they would start to observe the movement of these accounts, if they ended up converging at some point. The reason behind why this wasn´t applied came to light shortly afterwards:one race condition in the process of the generation of the unique addresses for each victim prevented it from working well and ended up becoming one of the now famous three addresses.
|Figure 1. Wannacry´s first movements.|
On the basis that in order for the three addresses to carry out an operation, the author or authors of the attack would have had to have signed the three addresses with the private corresponding keys and assign them to a particular node of the chain of blocks so that they could be added. From there, the author himself could generate a list of countless addresses under his control among which to perform these operations to confuse the researchers.
|Figure 2. A visualisation of Blockseer’s movements|
|Figure 3. The HitBTC Exchange dashboard|
|Figure 4. The average block size.|
|Figure 5. Forks from the Bitcoin block chain.|
Therefore, what happened with Wannacry’s Bitcoin cash? It is not clear if it was due to ignorance or a lack of interest, but it is certain that the associated Bitcoin Cash to the accounts of Wannacry remained in them until various months after the 7th November 2017. On this date, the authors carried out a unique transaction which collected the entire balance of Bitcoin Cash from all three addresses into a single address, specifically in 122TBuG4jWjsfSABdNu4zNrBaREEk2a8od, a priori in order to simplify the management.
|Figure 6. The functionality of a mixer.|
In the case of coinmix.to, the user must provide an address where you expect to receive the money to be hidden and the number of blocks where you expect to receive it. Because of the way coinmix.to works, the user is asked to send the amount of the trace he or she wants to blur to an address under the control of the platform, along with a small amount to cover the costs of the network and to pay for the service itself.
|Figure 7. The function of coinmix.to.|
After the agreed amount of time has elapsed, the applicant will receive the balance in the fixed address set as part of the transaction, in which also will involve other implicated linked addresses to the platform and potentially, of other users. This is the process in which assists to blur the source of the address of the transactions; since the balance received at the destination address does not come from the original service request transaction (this balance, in our case, remained under the control of the platform at the address 1NgUGX9F9zU4QtU9svqCd4gyyFvKhGyKBj).
|Figure 9. Bitcoin Cash mixer platform.|
However, it must be taken into account that this facilitated address from coinmix.to had already received 125 previous operations during the test. This is relevant given that in the event that we have visibility in the future of an address that operates at some point with this particular one, we will be able to know with certainty that it has used this mixing service.
Also, it is necessary to emphasize the great amount of inputs that appear in the payment that we receive in our destination account.. This operation would allow us to identify the addresses that the service uses to mix the transactions; taking into account that in order to utilize the inputs that appear in it, the mixer will have had to sign the transactions with the corresponding private keys. The function of privcoin.io is something different. In its case, it offers the possibility of carrying out this task for various cryptocurrencies and not only for Bitcoin Cash. It gives the possibility of configuring the various return addresses and different percentages in such a way that monitoring the operations is considerably complicated, since it will not be as effective if it is analyzed based on the transferred balance.
|Figure 9. Bitcoin Cash mixer platform.|
Unlike Coinmix, in the case of privcoin.io the addresses where the user has to send the money are unique for each concealed transaction. In this way a team of analysts cannot utilize the block chains to monitor the utilized addresses in between and identify the possible users. In fact, in the case of this platform, the implicated addresses are only utilized twice: once to receive money and the other time to transfer it.
|Figure 10. Details of the Privcoin transaction.|
In fact, the Bitcoin accounts have continued receiving operations after the August withdrawals. For this reason, 1,89111948 bitcoins (0,23814854, 1,38351522 y 0,26945572) are still outstanding, slightly more than $15200 of which must total to $84 corresponding to the 1,53575699 Bitcoin Gold which there are also in their accounts. It seems reasonable to think that the question is not whether there will be more movements, but when they will take place.